The following issues were found
security/tomoyo/condition.c
3 issues
Line: 261
Column: 21
CWE codes:
126
*/
static const struct tomoyo_path_info *tomoyo_get_dqword(char *start)
{
char *cp = start + strlen(start) - 1;
if (cp == start || *start++ != '"' || *cp != '"')
return NULL;
*cp = '\0';
if (*start && !tomoyo_correct_word(start))
Reported by FlawFinder.
Line: 323
Column: 20
CWE codes:
126
{
const struct tomoyo_path_info *name;
const struct tomoyo_path_info *value;
char *cp = left + strlen(left) - 1;
if (*cp-- != ']' || *cp != '"')
goto out;
*cp = '\0';
if (!tomoyo_correct_word(left))
Reported by FlawFinder.
Line: 506
Column: 49
CWE codes:
126
struct tomoyo_condition e = { };
char * const start_of_string =
tomoyo_get_transit_preference(param, &e);
char * const end_of_string = start_of_string + strlen(start_of_string);
char *pos;
rerun:
pos = start_of_string;
while (1) {
Reported by FlawFinder.
sound/usb/line6/capture.c
3 issues
Line: 107
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = runtime->buffer_size - line6pcm->in.pos_done;
if (len > 0) {
memcpy(runtime->dma_area +
line6pcm->in.pos_done * bytes_per_frame, fbuf,
len * bytes_per_frame);
memcpy(runtime->dma_area, fbuf + len * bytes_per_frame,
(frames - len) * bytes_per_frame);
} else {
Reported by FlawFinder.
Line: 110
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area +
line6pcm->in.pos_done * bytes_per_frame, fbuf,
len * bytes_per_frame);
memcpy(runtime->dma_area, fbuf + len * bytes_per_frame,
(frames - len) * bytes_per_frame);
} else {
/* this is somewhat paranoid */
dev_err(line6pcm->line6->ifcdev,
"driver bug: len = %d\n", len);
Reported by FlawFinder.
Line: 119
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
/* copy single chunk */
memcpy(runtime->dma_area +
line6pcm->in.pos_done * bytes_per_frame, fbuf, fsize);
}
line6pcm->in.pos_done += frames;
if (line6pcm->in.pos_done >= runtime->buffer_size)
Reported by FlawFinder.
scripts/recordmcount.h
3 issues
Line: 278
Column: 17
CWE codes:
126
Elf_Shdr *const shdr0 = (Elf_Shdr *)(old_shoff + (void *)ehdr);
unsigned int const old_shnum = get_shnum(ehdr, shdr0);
unsigned int const new_shnum = 2 + old_shnum; /* {.rel,}__mcount_loc */
uint_t t = 1 + strlen(mc_name) + _w(shstr->sh_size);
uint_t new_e_shoff;
shstr->sh_size = _w(t);
shstr->sh_offset = _w(sb.st_size);
t += sb.st_size;
Reported by FlawFinder.
Line: 294
Column: 26
CWE codes:
126
return -1;
if (uwrite(old_shstr_sh_offset + (void *)ehdr, old_shstr_sh_size) < 0)
return -1;
if (uwrite(mc_name, 1 + strlen(mc_name)) < 0)
return -1;
/* old(modified) Elf_Shdr table, word-byte aligned */
if (ulseek(t, SEEK_SET) < 0)
return -1;
Reported by FlawFinder.
Line: 307
Column: 56
CWE codes:
126
/* new sections __mcount_loc and .rel__mcount_loc */
t += 2*sizeof(mcsec);
mcsec.sh_name = w((sizeof(Elf_Rela) == rel_entsize) + strlen(".rel")
+ old_shstr_sh_size);
mcsec.sh_type = w(SHT_PROGBITS);
mcsec.sh_flags = _w(SHF_ALLOC);
mcsec.sh_addr = 0;
mcsec.sh_offset = _w(t);
Reported by FlawFinder.
sound/soc/intel/skylake/skl-nhlt.c
3 issues
Line: 166
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
nhlt->header.oem_revision);
skl_nhlt_trim_space(platform_id);
return sprintf(buf, "%s\n", platform_id);
}
static DEVICE_ATTR_RO(platform_id);
int skl_nhlt_create_sysfs(struct skl_dev *skl)
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hdac_bus *bus = pci_get_drvdata(pci);
struct skl_dev *skl = bus_to_skl(bus);
struct nhlt_acpi_table *nhlt = (struct nhlt_acpi_table *)skl->nhlt;
char platform_id[32];
sprintf(platform_id, "%x-%.6s-%.8s-%d", skl->pci_id,
nhlt->header.oem_id, nhlt->header.oem_table_id,
nhlt->header.oem_revision);
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct nhlt_acpi_table *nhlt = (struct nhlt_acpi_table *)skl->nhlt;
char platform_id[32];
sprintf(platform_id, "%x-%.6s-%.8s-%d", skl->pci_id,
nhlt->header.oem_id, nhlt->header.oem_table_id,
nhlt->header.oem_revision);
skl_nhlt_trim_space(platform_id);
return sprintf(buf, "%s\n", platform_id);
Reported by FlawFinder.
net/tipc/topsrv.c
3 issues
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct workqueue_struct *rcv_wq;
struct workqueue_struct *send_wq;
struct socket *listener;
char name[TIPC_SERVER_NAME_LEN];
};
/**
* struct tipc_conn - TIPC connection structure
* @kref: reference counter to connection object
Reported by FlawFinder.
Line: 329
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!e)
goto err;
e->inactive = (event == TIPC_SUBSCR_TIMEOUT);
memcpy(&e->evt, evt, sizeof(*evt));
spin_lock_bh(&con->outqueue_lock);
list_add_tail(&e->list, &con->outqueue);
spin_unlock_bh(&con->outqueue_lock);
if (queue_work(srv->send_wq, &con->swork))
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!skb)
return;
msg_set_dest_droppable(buf_msg(skb), true);
memcpy(msg_data(buf_msg(skb)), evt, sizeof(*evt));
skb_queue_head_init(&evtq);
__skb_queue_tail(&evtq, skb);
tipc_loopback_trace(net, &evtq);
tipc_sk_rcv(net, &evtq);
}
Reported by FlawFinder.
scripts/kconfig/lxdialog/inputbox.c
3 issues
Line: 43
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!init)
instr[0] = '\0';
else
strcpy(instr, init);
do_resize:
if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN))
return -ERRDISPLAYTOOSMALL;
if (getmaxx(stdscr) <= (width - INPUTBOX_WIDTH_MIN))
Reported by FlawFinder.
Line: 11
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "dialog.h"
char dialog_input_result[MAX_LEN + 1];
/*
* Print the termination buttons
*/
static void print_buttons(WINDOW * dialog, int height, int width, int selected)
Reported by FlawFinder.
Line: 88
Column: 8
CWE codes:
126
wmove(dialog, box_y, box_x);
wattrset(dialog, dlg.inputbox.atr);
len = strlen(instr);
pos = len;
if (len >= box_width) {
show_x = len - box_width + 1;
input_x = box_width - 1;
Reported by FlawFinder.
sound/core/seq/seq_memory.c
3 issues
Line: 77
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return len;
if (event->data.ext.len & SNDRV_SEQ_EXT_USRPTR) {
char buf[32];
char __user *curptr = (char __force __user *)event->data.ext.ptr;
while (len > 0) {
int size = sizeof(buf);
if (len < size)
size = len;
Reported by FlawFinder.
Line: 118
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int seq_copy_in_kernel(char **bufptr, const void *src, int size)
{
memcpy(*bufptr, src, size);
*bufptr += size;
return 0;
}
static int seq_copy_in_user(char __user **bufptr, const void *src, int size)
Reported by FlawFinder.
Line: 345
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto __error;
}
} else {
memcpy(&tmp->event, buf, size);
}
buf += size;
len -= size;
}
}
Reported by FlawFinder.
sound/synth/emux/emux_seq.c
3 issues
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < emu->num_ports; i++) {
struct snd_emux_port *p;
sprintf(tmpname, "%s Port %d", emu->name, i);
p = snd_emux_create_port(emu, tmpname, MIDI_CHANNELS,
0, &pinfo);
if (!p) {
snd_printk(KERN_ERR "can't create port\n");
return -ENOMEM;
Reported by FlawFinder.
Line: 370
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (snd_virmidi_new(card, emu->midi_devidx + i, &rmidi) < 0)
goto __error;
rdev = rmidi->private_data;
sprintf(rmidi->name, "%s Synth MIDI", emu->name);
rdev->seq_mode = SNDRV_VIRMIDI_SEQ_ATTACH;
rdev->client = emu->client;
rdev->port = emu->ports[i];
if (snd_device_register(card, rmidi) < 0) {
snd_device_free(card, rmidi);
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
struct snd_seq_port_callback pinfo;
char tmpname[64];
emu->client = snd_seq_create_kernel_client(card, index,
"%s WaveTable", emu->name);
if (emu->client < 0) {
snd_printk(KERN_ERR "can't create client\n");
Reported by FlawFinder.
sound/soc/intel/skylake/skl-messages.c
3 issues
Line: 485
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mconfig->formats_config.caps_size == 0)
return;
memcpy(cpr_mconfig->gtw_cfg.config_data,
mconfig->formats_config.caps,
mconfig->formats_config.caps_size);
cpr_mconfig->gtw_cfg.config_length =
(mconfig->formats_config.caps_size) / 4;
Reported by FlawFinder.
Line: 651
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
dma_ctrl->config_length = DMA_I2S_BLOB_SIZE;
memcpy(dma_ctrl->config_data, caps, caps_size);
err = skl_ipc_set_large_config(&skl->ipc, &msg, (u32 *)dma_ctrl);
kfree(dma_ctrl);
return err;
Reported by FlawFinder.
Line: 756
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mconfig->formats_config.caps_size == 0)
return;
memcpy(algo_mcfg->params,
mconfig->formats_config.caps,
mconfig->formats_config.caps_size);
}
Reported by FlawFinder.
samples/binderfs/binderfs_example.c
3 issues
Line: 51
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
exit(EXIT_FAILURE);
}
memcpy(device.name, "my-binder", strlen("my-binder"));
fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
fprintf(stderr, "%s - Failed to open binder-control device\n",
strerror(errno));
Reported by FlawFinder.
Line: 53
Column: 7
CWE codes:
362
memcpy(device.name, "my-binder", strlen("my-binder"));
fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
fprintf(stderr, "%s - Failed to open binder-control device\n",
strerror(errno));
exit(EXIT_FAILURE);
}
Reported by FlawFinder.
Line: 51
Column: 35
CWE codes:
126
exit(EXIT_FAILURE);
}
memcpy(device.name, "my-binder", strlen("my-binder"));
fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
fprintf(stderr, "%s - Failed to open binder-control device\n",
strerror(errno));
Reported by FlawFinder.